Allow multiple role ARNs and Services in Pass Role policy

* Prevents needing to have multiple policies when more than 1 role needs to be passed to a service
dxw · Aug 5, 2024 · 637fec5 · 637fec5
1 parent 0cefd6f
commit 637fec5
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 39 deletions.
diff --git a/README.md b/README.md
@@ -163,8 +163,7 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_iam_policy.infrastructure_ecs_cluster_ssm_service_setting_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_rds_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_ecs_run_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_rds_s3_backups_image_codebuild_allow_builds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_rds_s3_backups_image_codebuild_cloudwatch_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.infrastructure_rds_s3_backups_image_codebuild_ecr_push](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -234,8 +233,7 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_iam_role_policy_attachment.infrastructure_ecs_cluster_ssm_service_setting_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_rds_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_ecs_run_task](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
-| [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_task_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_image_codebuild_allow_builds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_image_codebuild_cloudwatch_rw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_image_codebuild_ecr_push](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

diff --git a/ecs-cluster-infrastructure-service-scheduled-task.tf b/ecs-cluster-infrastructure-service-scheduled-task.tf
@@ -123,8 +123,8 @@ resource "aws_iam_policy" "infrastructure_ecs_cluster_service_scheduled_task_pas
   policy = templatefile(
     "${path.root}/policies/pass-role.json.tpl",
     {
-      role_arn = aws_iam_role.infrastructure_ecs_cluster_service_task_execution[each.value["container_name"]].arn
-      service  = "ecs-tasks.amazonaws.com"
+      role_arns = jsonencode([aws_iam_role.infrastructure_ecs_cluster_service_task_execution[each.value["container_name"]].arn])
+      services  = jsonencode(["ecs-tasks.amazonaws.com"])
     }
   )
 }

diff --git a/ecs-cluster-infrastructure.tf b/ecs-cluster-infrastructure.tf
@@ -74,8 +74,8 @@ resource "aws_iam_policy" "infrastructure_ecs_cluster_pass_role_ssm_dhmc" {
   policy = templatefile(
     "${path.root}/policies/pass-role.json.tpl",
     {
-      role_arn = "arn:aws:iam::${local.aws_account_id}:role/${data.external.ssm_dhmc_setting[0].result.setting_value}",
-      service  = "ssm.amazonaws.com"
+      role_arns = jsonencode(["arn:aws:iam::${local.aws_account_id}:role/${data.external.ssm_dhmc_setting[0].result.setting_value}"])
+      services  = jsonencode(["ssm.amazonaws.com"])
     }
   )
 }

diff --git a/policies/pass-role.json.tpl b/policies/pass-role.json.tpl
@@ -6,12 +6,10 @@
       "Action": [
         "iam:PassRole"
       ],
-      "Resource": "${role_arn}",
+      "Resource": ${role_arns},
       "Condition": {
         "StringEquals": {
-          "iam:PassedToService": [
-            "${service}"
-          ]
+          "iam:PassedToService": ${services}
         }
       }
     }

diff --git a/rds-infrastructure-s3-backups-scheduled-task.tf b/rds-infrastructure-s3-backups-scheduled-task.tf
@@ -24,46 +24,28 @@ resource "aws_iam_role_policy_attachment" "infrastructure_rds_s3_backups_cloudwa
   policy_arn = aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_ecs_run_task[each.key].arn
 }
 
-resource "aws_iam_policy" "infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_execution_role" {
+resource "aws_iam_policy" "infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role" {
   for_each = local.enable_infrastructure_rds_backup_to_s3 ? local.infrastructure_rds : {}
 
   name        = "${local.resource_prefix}-${substr(sha512("rds-s3-backups-cloudwatch-schedule-${each.key}-pass-role-execution-role"), 0, 6)}"
   description = "${local.resource_prefix}-rds-s3-backups-cloudwatch-schedule-${each.key}-pass-role-execution-role"
   policy = templatefile(
     "${path.root}/policies/pass-role.json.tpl",
     {
-      role_arn = aws_iam_role.infrastructure_rds_s3_backups_task_execution[each.key].arn
-      service  = "ecs-tasks.amazonaws.com"
+      role_arns = jsonencode([
+        aws_iam_role.infrastructure_rds_s3_backups_task_execution[each.key].arn,
+        aws_iam_role.infrastructure_rds_s3_backups_task[each.key].arn,
+      ])
+      services = jsonencode(["ecs-tasks.amazonaws.com"])
     }
   )
 }
 
-resource "aws_iam_role_policy_attachment" "infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_execution_role" {
+resource "aws_iam_role_policy_attachment" "infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role" {
   for_each = local.enable_infrastructure_rds_backup_to_s3 ? local.infrastructure_rds : {}
 
   role       = aws_iam_role.infrastructure_rds_s3_backups_cloudwatch_schedule[each.key].name
-  policy_arn = aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_execution_role[each.key].arn
-}
-
-resource "aws_iam_policy" "infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_task_role" {
-  for_each = local.enable_infrastructure_rds_backup_to_s3 ? local.infrastructure_rds : {}
-
-  name        = "${local.resource_prefix}-${substr(sha512("rds-s3-backups-cloudwatch-schedule-${each.key}-pass-role-task-role"), 0, 6)}"
-  description = "${local.resource_prefix}-rds-s3-backups-cloudwatch-schedule-${each.key}-pass-role-task-role"
-  policy = templatefile(
-    "${path.root}/policies/pass-role.json.tpl",
-    {
-      role_arn = aws_iam_role.infrastructure_rds_s3_backups_task[each.key].arn
-      service  = "ecs-tasks.amazonaws.com"
-    }
-  )
-}
-
-resource "aws_iam_role_policy_attachment" "infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_task_role" {
-  for_each = local.enable_infrastructure_rds_backup_to_s3 ? local.infrastructure_rds : {}
-
-  role       = aws_iam_role.infrastructure_rds_s3_backups_cloudwatch_schedule[each.key].name
-  policy_arn = aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_task_role[each.key].arn
+  policy_arn = aws_iam_policy.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role[each.key].arn
 }
 
 resource "aws_cloudwatch_event_rule" "infrastructure_rds_s3_backups_scheduled_task" {
@@ -101,6 +83,6 @@ resource "aws_cloudwatch_event_target" "infrastructure_rds_s3_backups_scheduled_
 
   depends_on = [
     aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_ecs_run_task,
-    aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role_execution_role,
+    aws_iam_role_policy_attachment.infrastructure_rds_s3_backups_cloudwatch_schedule_pass_role,
   ]
 }